Account open

“Voices are unique – but if the system allows for too many discrepancies in the voiceprint for a match, then it’s not secure.

“And that seems to be what’s happened here.”

Prof Vladimiro Sassone, an expert in cyber-security, from the University of Southampton, said biometrics could, in general, be an effective security layer, but there were dangers if companies put too much faith in something that was not 100% secure.

“In principle there should be no room for error at all,” said Prof Sassone.

“It should be good at the first attempt.”

“Voice identification is not like a password system.”

“You can’t forget your voice or get the wrong one.

“After two attempts, systems should be able to say whether it’s a match or not and alert the bank and user if further attempts are made.”

Prof Sassone said using unique biometric traits as a verifier should make it harder for hackers – but if they should be copied by criminals, users could not then change their voice, face, or fingerprint as they would a password.

“If you have to prove it wasn’t you who accessed your account – that it was either a mimic or computer software – then how are you going to do that?” he asked.

“Especially if the bank is claiming the system is perfect.”

Security expert Prof Alan Woodward, from the University of Surrey, said it was dangerous to rely on one biological characteristic to authenticate someone, even if it was one unique to that person.

“Biometric based security has a history of measurements being copied,” he said.

“We’ve seen fingerprints being copied with everything from gummy bears to photographs of people’s hands.

“Hence, biometrics, just like other aspects of security, will always have to evolve as measures emerge to threaten them.

“Security is a story of measure and counter-measure.”

He said HSBC probably needed to reassess its technology and ideally add another “factor” alongside the voiceprint check to authenticate identity.

“As well as requiring something you are, it would require something you know or something you have, like a PIN,” he said.

“That makes it much more difficult to compromise.”

It is not just the ability of humans to fool computers that is worrying some high-tech companies.

Start-up Lyrebird is working on ways to replicate a voice using just a few minutes of recorded speech.

Co-founder Jose Sotelo said there was no doubt this had “implications” for voice identification systems.

“We are working with security researchers to figure out the best way to proceed,” he told Click.

“This is one of the reasons we have not published this to the public yet.

“It’s a scary application but we believe that we should be careful and should not be scared of technology and we should try to make the best out of it,” he said.

“One idea we are considering is to watermark the audio samples we produce so we are able to detect immediately if it is us that generated this sample.”

You can see the full BBC Click investigation into biometric security in special edition of the show on BBC News and on the iPlayer from Saturday, 20 May.